I am attempting to setup a mirror-to-backup hook in our repositories. The hook is executing a git push --mirror backup@server:path/foo.git. However it fails stating:

fatal: What do you think I am? A shell?
fatal: The remote end hung up unexpectedly

My .ssh/authorized_keys file has the following entry:

command="/path/to/git-shell" ssh-rsa ....
# no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
# these are all set i just removed them for brevity.

I've tried various combinations but the git-shell documentation is exceedingly sparse. I'm not sure what the problem is I'm hoping someone here could point me in the right direction. What is causing this error? I was under the impression that git-shell was intended to be used with push/pull. Clearly, I must be missing something but I haven't a clue what it is.

3 Answers
3

I think the problem lies in the fact that you've set up a command in the authorized_keys file, but man sshd's section on the authorized_keys file format clearly states:

command="command"
Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. (…)

This means that whenever git-upload-pack attempts to contact git-receive-pack (by way of an ssh command including the call for git-receive-pack, it will be squashed in favour of the command specified in .ssh/authorized_keys.git-shell can and does accept inbound git-related communications, but because the paramaters from git-upload-pack got squashed to null, the former is assuming that someone is trying to open an ordinary terminal, and cuts it off. This is explained in man git-shell:

name
git-shell - Restricted login shell for Git-only SSH accesssynopsis
git shell [-c ]description
A login shell for SSH accounts to provide restricted Git access. When
-c is given, the program executes non-interactively;
can be one of git receive-pack, git upload-pack, git
upload-archive, cvs server, or a command in COMMAND_DIR.(…)

My advice would be (assuming you haven't done so already) to create a seperate user account for git alone, and have that account carry the appropriate public keys in <git-home>/.ssh/authorized_keys. Also, don't forget to remove the forced command from the public key(s) in question.
In addition, I recommend you set up git's user account to use git-shell as it's default shell by modifying /etc/passwd like so: